4.  Focus areas









             S13. The impact of XSS is moderate for reflected and DOM XSS and severe for stored XSS, with
             remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering
             malware to the victim.

             S14. While some known vulnerabilities lead to only minor impacts, some of the largest breaches to
             date have relied on exploiting known vulnerabilities in components.
             S15. Most successful attacks start with vulnerability probing. Allowing such probes to continue can
 S1. Malicious users can deface the website.
             raise the likelihood of a successful exploit to nearly 100%.
 S2. Any harmful actor may get access to confidential information.
 S3. The availability of the website/app can be hampered.

 S4. The malicious user may change/modify the content on the website.
 S5.  Security  failures  typically  lead  to  unauthorised  information  disclosure,  modification,  or   Lifecycle management  4.4
 destruction of all data or performing a business function outside the user's limits.
 S6.  A  file  upload  flaw  allows  an  attacker  to  retrieve  the  password  database.  Security  of  web
 applications determine the protection needs of data in transit and at rest. Attackers can steal such   Maintaining a website/app is just as important   properly.  This  involves  updating  website/app

 information for example, passwords, credit card numbers, health records, personal information and   as developing it because a website/app is a   content, monitoring performance, ensuring
 business secrets require extra protection, mainly if that data falls under privacy laws, Personal data   dynamic  entity  that requires  regular  updates   security, fixing bugs and errors and optimising
 protection bill etc.   and monitoring  to  remain  relevant,  functional   the  website/app  for  search  engines.

 S7.  An  attacker  monitors  network  traffic  (e.g.,  at  an  insecure  wireless  network),  downgrades   and secure. Without proper maintenance, a   Establishing policies and procedures for
 connections from HTTPS to HTTP, intercepts requests and steals the user's session cookie. The   website/app can become vulnerable to   website/app  maintenance  is  important,
 attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or   security breaches, performance issues and   including a change management process,
 modifying the user's private data. Instead of the above they could alter all transported data, e.g., the   content that is outdated or irrelevant, which   backup and disaster recovery plans, security
 recipient of a money transfer.  can negatively impact the user experience and   policies and a content management plan.

 S8.  Almost any source of data can be an injection vector, environment variables, parameters,   drive  away  potential  visitors.  Regular  Regularly  monitoring  the  website's
 external and internal web services and all types of users. Injection flaws occur when an attacker can   maintenance can help prevent security   performance, user engagement and search
 send hostile data to an interpreter.  breaches, ensure functionality,  keep content   engine optimization is crucial to ensure that

 S9.  Attackers have to gain access to only a few accounts, or just one admin account to   up-to-date and optimise the website/app for   the website/app is meeting its objectives and
 compromise the system. Depending on the domain of the application, this may allow money   search engines. Therefore, website/app life   to identify areas for improvement.
 laundering, social security fraud and identity theft, or disclose legally protected highly sensitive   cycle  management,  including  ongoing  The risks already identified under ‘Quality’ are
 information.  maintenance, is crucial for the success and      also associated with the non-conformity of the
 S10. Security flaws can be used to extract data, execute a remote request from the server, scan   longevity of a website.  Lifecycle Management guidelines.

 internal systems, perform a denial-of-service attack, as well as execute other attacks. The business   After  launching  a  website,  ongoing
 impact depends on the protection needs of all affected applications and data.  maintenance is essential to keep the
 S11. Attackers acting as users or administrators, or users using privileged functions, can create,   website/app  up-to-date  and functioning

 access, update or delete every record.
 S12. Security  misconfiguration  frequently  gives  attackers  unauthorised  access  to  some  system
 data or functionality. Occasionally, such flaws result in a complete system compromise.






                                                             29